European Commission puts UK in the dock over Phorm

You should have stopped covert trial, Information Commissioner told

The European Commission began legal action against the UK over its failure to protect Internet users from Phorm, a covert behavioural advertising system tested by BT in 2006 and 2007.

The move signals growing concern in Brussels over the way new internet-based technologies are using people's personal data. In addition to taking legal action against the UK, the Commission also issued a general warning to all 27 EU countries to uphold privacy laws, especially regarding social-networking web sites and users of RFID technologies.

The Commission, the executive body of the European Union responsible for upholding laws, said the UK had failed to enforce EU data protection and privacy rules, because broadband internet subscribers were not informed that their browsing was being tracked.

"We have been following the Phorm case for some time and have concluded that there are problems in the way the UK has implemented parts of EU rules on the confidentiality of communications," said Viviane Reding, the EU's telecom commissioner.

She called on the UK to change its national laws and ensure that its national privacy authority is given greater powers to tackle privacy threats from emerging technologies. "This should allow the UK to respond more vigorously to new challenges to eprivacy and personal data protection such as those that have arisen in the Phorm case.

It should also help reassure UK consumers about their privacy and data protection while surfing the internet," Reding said.

In a video blog posted on Tuesday, Reding said EU rules are adequate to deal with new technologies, but that they are not always being properly enforced at national level.

"Technologies like internet behavioural advertising can be useful for businesses and consumers but they must be used in a way that complies with EU rules," Reding said.

"European privacy rules are crystal clear: a person's information can only be used with their prior consent. We cannot give up this basic principle, and have all our exchanges monitored, surveyed and stored in exchange for a promise of 'more relevant' advertising. I will not shy away from taking action where an EU country falls short of this duty," said Reding in her video message.

She also called on social-networking companies to reinforce privacy protection online.

In February the Commission brokered an agreement between 17 major social-networking sites to improve privacy, especially of minors. The companies promised to ensure child safety and committed to enabling and encouraging users to employ a safe approach to personal information and privacy.

Later this month the companies will inform the Commission about their individual safety policies and how they will implement the agreement's principles.

Reding also singled out RFID technology as a potential area for concern. The smart chips integrated in products would only realise their economic potential "if they are used by the consumer and not on the consumer," Reding said.

"No European should carry a chip in one of their possessions without being informed precisely what they are used for, with the choice to remove or switch it off at any time," she said.

In April last year BT admitted that it had tested Phorm in 2006 and 2007 without informing customers involved in the trial.

BT carried out a new trial of the technology from October to December in 2008 but this time it did seek prior consent from subscribers. BT's trials resulted in a number of complaints to the UK data protection authority - the Information Commissioner's Office and to the UK police, as well as to the Commission.

The UK government has two months to respond to the letter of formal notice sent Tuesday. Failure to do so, or failure to address the problems highlighted in the letter will force the Commission to issue a so-called reasoned opinion, the final step before taking the UK government to the European Court of Justice, the EU's highest legal authority.